CVE-2024-32641 CRITICAL

CVE-2024-32641: Masa CMS Vulnerable to Pre-Auth RCE via JSON API

Vendor Masacms
Product MasaCMS
Weakness CWE-94 · Code injection
Published December 3, 2025
Last update December 3, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.

Key dates

02Disclosure timeline

December 3, 2025 CVE published
December 3, 2025 Record updated